SQL Statement and Prepared Statement error

Question

The user inputs a disease and the SQL is supposed to return all patient details who have the disease. But i'm getting the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?' at line 1

SQL Query is as shown below. Please help me to debug it.

SELECT patient_personal_details.patient_id, 
       patient_personal_details.first_name, 
       patient_personal_details.last_name, 
       patient_personal_details.gender, 
       patient_personal_details.occupation, 
       patient_personal_details.marital_status 
FROM patient_personal_details
INNER JOIN patient_medical_details
ON patient_personal_details.patient_id = patient_medical_details.patient_id
WHERE patient_medical_details.disease = ?

Here's the code:

public JTable getAllPatientsByDisease(String disease)throws RemoteException{
    JTable table = null;
    try{
        Class.forName("com.mysql.jdbc.Driver");
        Connection con = DriverManager.getConnection("jdbc:mysql://localhost/hospital_database","root","");
        String sql = " SELECT patient_personal_details.patient_id, patient_personal_details.first_name, patient_personal_details.last_name, patient_personal_details.gender, patient_personal_details.occupation, patient_personal_details.marital_status FROM patient_personal_details "
                + " INNER JOIN patient_medical_details "
                + " ON patient_personal_details.patient_id = patient_medical_details.patient_id "
                + " WHERE patient_medical_details.disease = ? ";
        PreparedStatement ps = con.prepareStatement(sql);
        ps.setString(1, disease);
        ResultSet rs = ps.executeQuery(sql);

        table =  new JTable(buildTableModel(rs));
    }
    catch(SQLException | ClassNotFoundException e){
        System.out.println("Error: "+e);
    }
    return table;
}

Answer 1

Updated Answer : (now we have the code)

The problem is here:

ResultSet rs = ps.executeQuery(sql);
// ----------------------------^^^

Remove the sql , just use:

ResultSet rs = ps.executeQuery();

By specifying the SQL as an argument, you were using Statement#executeQuery , not PreparedStatement#executeQuery . Statement#executeQuery uses the SQL string literally, without substituting in the parameters (basically as though you'd not called setString ). (And yes, it's not a fantastic design decision by the JDBC folks.)

---

Original Answer :

The key bit of that error message is "...near '?'" That tells us that you never set a value to be substituted into the query at that point, and so the ? was used literally.

You need to use setString (if the "disease" column is a textual column) or setInt , etc., to set the parameters for the query. Eg:

PreparedStatement ps = connection.prepareStatement("SELECT ... WHERE patient_medical_details.disease = ?");
ps.setString(1, "arachnophobia"); // <===
ResultSet rs = ps.executeQuery();

The parameters are numbered (somewhat surprisingly) starting with 1 for the first ? , 2 for the second, etc.